RansNet and Cisco IOS Router – GRE over IPSec

RansNet WAN solutions can establish IPSec VPN tunnels with 3rd-party products using standard IPSec protocols. This interoperability is important to compliment customers’ legacy setup and enable business operations in multi-vendor networks. We have sample guides for inter-working with Fortinet and Cisco Meraki. This document details how to set up Spoke-to-Spoke VPN tunnels between RansNet and Cisco IOS routers.

Cisco DMVPN combines “GRE over IPSec” and NHRP and dynamic routing technologies, and allows peers to auto establish VPN tunnels directly. But there’s a huge dependency – each peer must have reachability to each other, either directly over public IP or indirectly (from behind another NAT device). In real life, many branch routers do not have public IP addresses due to Carrier-grade NAT, especially when connected via 4G/5G.

So the alternative is to use spoke-to-spoke topology, eg. the spokes will route through the hub. In this topology, only the hub needs a static IP address and the spokes are flexible to have any form of WAN IP addresses, as long as they can reach the hub IP. Please refer to this link for the various VPN topologies we can support.

It is extremely easy to use the RansNet SD-WAN orchestrator to build a spoke-to-spoke VPN topology among RansNet routers. But this document is to demonstrate interoperability, so we use a Cisco IOS router as the VPN hub, and remote branches use RansNet SD-Branch (HSA/UA/CMG) routers.

Usually, configuring “GRE” over IPSec ” among Cisco IOS routers is a very complex task. But our SD-WAN orchestrator can still help to simply the configuration, for the RansNet routers.

There are a few key concepts to this configuration:

  • We will provision a dummy hub gateway on mfusion and create an IPSec VPN instance to emulate RansNet Gateway VPN settings, and assign all branch routers to the gateway VPN instance, like how we would do for typical RansNet SD-WAN provisioning. 
  • All VPN and routing configurations for the RansNet branch routers will be centrally generated and pushed, with just a few clicks.
  • How “GRE over IPSec” works
    • Configure IPSec tunnels between hub and spoke using external WAN IP addresses. Use IPSec to encrypt communications between loopback IP addresses of hub and spokes
    • Configure GRE tunnels using loopback IP addresses as the tunnel source and destination (therefore encrypting GRE tunnels).
    • Route traffic through the GRE tunnels (therefore actual traffic is encrypted)
  • On hub side (Cisco router)
    • Accept all incoming IPSec tunnel request (dynamic crypto map) as long as they all have the correct pre-shared key, regardless of their source IPs
    • Configure mGRE tunnel, so we don’t need to have individual tunnels for each spoke. Use static NHRP map GRE tunnel and loopback IP of each spoke.

Provisioning IOS router and Branch Routers on mfusion

Step 1: provision all branch routers and a dummy VPN gateway to mfusion. Follow this link for a detailed guide. The branch routers should be online after this step.

Step 2: import hosts to mfusion orchestrator.

Import the dummy “gateway” host to Orchestrator > Gateway, attach a “Empty” config template.

Import branch router to Orchestrator > SD-Branch, assign default template (or copy from other hosts if you already have existing configured hosts).

Step 3: On the dummy VPN gateway, create an IPSec VPN instance to emulate Gateway VPN settings

NOTE

Gateway IP” is the publicly accessible IP of Cisco VPN gateway
Pre-shared key and Phase I & II security policies need to set the same in Cisco config

.

Step 4: Assign all branch routers to the VPN instance and configure branch (remote) network for each router.

Notice Title

If you have multiple branch routers, just assign all to the same VPN instance and change the respective branch network setting.

.

Step 5: Click “Apply Config” and all settings will be pushed to the RansNet branch routers and they will auto initiate VPN tunnels to the Cisco router. (Note: Config push to the dummy VPN gateway will fail but just safely ignore that.)

Step 6: On the branch routers, configure firewall access rules to permit VPN traffic across the tunnel (Can configure a firewall template and apply to all branch routers). NAT is auto disabled for VPN tunnel networks, no special config required.

.

!
crypto ikev2 proposal RANSNET_IKE
 encryption aes-cbc-256
 integrity sha256
 group 5
!
crypto ikev2 policy RANSNET_IKE
 proposal RANSNET_IKE
!
crypto ikev2 profile RANSNET_IKE
 match identity remote any
 identity local address 49.128.58.76
 authentication remote pre-share key Letmein99
 authentication local pre-share key Letmein99
!
crypto ipsec transform-set RANSNET_ESP esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto dynamic-map RANSNET_MAP 10
 set transform-set RANSNET_ESP
 set ikev2-profile RANSNET_IKE
 match address 100
!
crypto map RANSNET_IPSEC 10 ipsec-isakmp dynamic RANSNET_MAP
!
interface Loopback0
 description "GRE tunnel source"
 ip address 10.1.168.1 255.255.255.255
!
interface Loopback1
 description "simulated LAN network"
 ip address 10.0.0.1 255.255.255.0
!
interface Tunnel1
 ip address 10.1.172.1 255.255.252.0
 no ip redirects
 ip nhrp map 10.1.172.2 10.1.168.2
 ip nhrp map 10.1.172.3 10.1.168.3
 ip nhrp network-id 1
 tunnel source 10.1.168.1
 tunnel mode gre multipoint
!
interface GigabitEthernet0/0
 ip address x.x.x.x
 crypto map RANSNET_IPSEC
!
router bgp 65051
 bgp log-neighbor-changes
 timers bgp 5 15
 neighbor 0168_RansNet_SSL3IPSEC_1 peer-group
 neighbor 0168_RansNet_SSL3IPSEC_1 remote-as 65051
 neighbor 0168_RansNet_SSL3IPSEC_1 route-reflector-client
 neighbor 0168_RansNet_SSL3IPSEC_1 next-hop-self
 neighbor 0168_RansNet_SSL3IPSEC_1 soft-reconfiguration inbound
 neighbor 10.1.172.2 peer-group 0168_RansNet_SSL3IPSEC_1
 neighbor 10.1.172.3 peer-group 0168_RansNet_SSL3IPSEC_1
 network 10.0.0.0 mask 255.255.255.0
!
access-list 100 permit ip host 10.1.168.1 any
!

NOTE

10.1.168.x is the loopback IP range, auto assigned by the orchestrator. Gateway (Cisco) will always use the first IP
10.1.172.x is the GRE tunnel IP range, auto assigned by the orchestrator. Gateway will use the first IP.
The BGP config is optional if you do not wish to run dynamic routing, for a small number of spoke sites.
The newer IOS supports dynamic BGP neighbour, so you don’t need to specify each neighbour individually (bgp listen range 10.1.172.0/22 peer-group 0168_RansNet_SSL3IPSEC_1)

.

.

Verification

On Cisco router, verify IPSec status and BGP routing status

TEST#sho crypto session active
Crypto session current status

Interface: GigabitEthernet0/0
Profile: RANSNET_IKE
Session status: UP-IDLE
Peer: 111.65.56.224 port 54377
  Session ID: 528
  IKEv2 SA: local 192.168.99.123/4500 remote 111.65.56.224/54377 Active

Interface: GigabitEthernet0/0
Profile: RANSNET
Session status: UP-IDLE
Peer: 119.234.10.4 port 30841
  Session ID: 294
  IKEv2 SA: local 192.168.99.123/4500 remote 119.234.10.4/30841 Active

Interface: GigabitEthernet0/0
Profile: RANSNET_IKE
Session status: UP-IDLE
Peer: 175.156.212.53 port 4500
  Session ID: 526
  IKEv2 SA: local 192.168.99.123/4500 remote 175.156.212.53/4500 Active

Interface: GigabitEthernet0/0
Profile: RANSNET_IKE
Session status: UP-IDLE
Peer: 119.234.10.4 port 24445
  Session ID: 529
  IKEv2 SA: local 192.168.99.123/4500 remote 119.234.10.4/24445 Active

TEST#
TEST#sho ip bgp summary
BGP router identifier 10.7.7.11, local AS number 65051
BGP table version is 8, main routing table version 8
3 network entries using 432 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 320 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 992 total bytes of memory
BGP activity 5/2 prefixes, 5/2 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.172.2      4        65051      51      55        8    0    0 00:04:02        1
10.1.172.3      4        65051    1044    1027        8    0    0 01:26:43        1

TEST#sho ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.99.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
B        10.1.1.0/24 [200/0] via 10.1.172.2, 00:04:07
B        10.2.2.0/24 [200/0] via 10.1.172.3, 01:22:10
TEST#ping 10.1.1.1 so
TEST#ping 10.1.1.1 source 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/48/120 ms
TEST#ping 10.2.2.1 source 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms
TEST#

Verify running status on RansNet branch router

mbox-branch# show ipsec status 
Connections:
49.128.58.76:  %any...49.128.58.76  IKEv2, dpddelay=10s
49.128.58.76:   local:  uses pre-shared key authentication
49.128.58.76:   remote: [49.128.58.76] uses pre-shared key authentication
49.128.58.76:   child:  10.1.168.2/32 === 10.1.168.1/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
49.128.58.76[1]: ESTABLISHED 5 minutes ago, 10.157.230.47[10.157.230.47]...49.128.58.76[49.128.58.76]
49.128.58.76[1]: IKEv2 SPIs: 01196420d033cb1d_i* f74ed74c774b54a4_r, rekeying disabled
49.128.58.76[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
49.128.58.76{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3d8077b_i e5615115_o
49.128.58.76{1}:  AES_CBC_256/HMAC_SHA2_256_128, 14972 bytes_i (198 pkts, 0s ago), 10759 bytes_o (141 pkts, 88s ago), rekeying disabled
49.128.58.76{1}:   10.1.168.2/32 === 10.1.168.1/32
mbox-branch# 
mbox-branch# show ip bgp summary 

IPv4 Unicast Summary (VRF default):
BGP router identifier 10.157.230.47, local AS number 65051 vrf-id 0
BGP table version 5
RIB entries 5, using 680 bytes of memory
Peers 1, using 712 KiB of memory
Peer groups 1, using 32 bytes of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
10.1.172.1      4      65051      1338      1368        0    0    0 00:05:16            2        1 N/A

Total number of neighbors 1
mbox-branch# show ip route bgp 
Codes: K - kernel route, C - connected, S - static, O - OSPF,
       B - BGP, N - NHRP, T - Table, v - VNC, V - VNC-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

B>* 10.0.0.0/24 [200/0] via 10.1.172.1, gre1, weight 1, 00:01:41
B>* 10.2.2.0/24 [200/0] via 10.1.172.3, gre1, weight 1, 00:05:19
mbox-branch# ping 10.0.0.1 source 10.1.1.1
PING 10.0.0.1 (10.0.0.1) from 10.1.1.1: 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=255 time=33.106 ms
64 bytes from 10.0.0.1: seq=1 ttl=255 time=32.053 ms
64 bytes from 10.0.0.1: seq=2 ttl=255 time=62.565 ms
64 bytes from 10.0.0.1: seq=3 ttl=255 time=62.243 ms
64 bytes from 10.0.0.1: seq=4 ttl=255 time=61.910 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 32.053/50.375/62.565 ms
mbox-branch# ping 10.2.2.1 source 10.1.1.1
PING 10.2.2.1 (10.2.2.1) from 10.1.1.1: 56 data bytes
64 bytes from 10.2.2.1: seq=0 ttl=63 time=228.013 ms
64 bytes from 10.2.2.1: seq=1 ttl=63 time=187.684 ms
64 bytes from 10.2.2.1: seq=2 ttl=63 time=148.846 ms
64 bytes from 10.2.2.1: seq=3 ttl=63 time=107.935 ms
64 bytes from 10.2.2.1: seq=4 ttl=63 time=56.509 ms

--- 10.2.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 56.509/145.797/228.013 ms

Snip of relevant CLI config on RansNet router2 (auto generated and pushed by orchestrator).

!
interface gre1
 tunnel local 10.1.168.3 remote 10.1.168.1
 enable
 ip address 10.1.172.3/22
!
interface lo
 ip address 10.1.168.3/32
!
interface wwan0
 enable
!
interface vlan 1 1
 description "Default VLAN for all LAN ports"
 enable
 ip address 10.2.2.1/24
!
ip name-server 8.8.8.8 8.8.4.4
!
ip host portal.ransnet.com 118.189.175.170
!
ipsec ike-policy 1
 authentication psk
 policy AES-256 SHA-256 5
!
ipsec esp-policy 1
 policy AES-256 SHA-256 5
!
ipsec peer 49.128.58.76
 local-id b0-bb-8b-07-14-80
 local-net 10.1.168.3/32
 remote-net 10.1.168.1/32
 policy ike 1 esp 1
 psk Letmein99
!
router bgp 65051
 bgp timer 5 15
 neighbor 0168_RansNet_SSL3IPSEC_1 as-peer
 neighbor 0168_RansNet_SSL3IPSEC_1 as-remote 65051
 neighbor 0168_RansNet_SSL3IPSEC_1 next-hop-self
 neighbor 0168_RansNet_SSL3IPSEC_1 soft-reconfiguration
 neighbor 0168_RansNet_SSL3IPSEC_1 weight 0
 neighbor 10.1.172.1 as-peer 0168_RansNet_SSL3IPSEC_1
 network 10.2.2.1/24
!

.

wpChatIcon
wpChatIcon